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THE p-ADIC CM-METHOD FOR GENUS 2 


P. GAUDRY, T. HOUTMANN, D. KOHEL, C. RITZENTHALER, AND A. WENG 


Abstract. We present a nonarchimedian method to construct hyperelliptic CM-curves of 
genus 2 over finite prime fields. 


Throughout the document we use the following conventions (this is only for the reference 
and use of the authors): 

d degree of the base field of the curve, i.e. C/¥ 2 d 

s number of isomorphism classes, in elliptic curve case s = hx 

n degree of an irreducible component of class invariants 

K a CM field 

Kq the real subfield of K 

K* the reflex CM field of K 

Kq the real subfield of K* 

ji absolute Igusa invariant 

j 2 absolute Igusa invariant J| J 4 J{()^ 

js absolute Igusa invariant J^JqJiq^ 

N 2-adic precision 

1. Introduction 

In 1991 Atkin proposed an algorithm for constructing elliptic curves over finite fields with 
a given endomorphism ring [Atk91, AM93]. This algorithm originally proposed to speed 
up the Goldwasser-Kilian primality test has several applications. Since the knowledge of 
the endomorphism ring, enables us to easily determine the number of points on the elliptic 
curve, it can for example be used to construct elliptic curves with a prime order which has 
applications to cryptography. The complex multiplication method has also become attractive 
to construct suitable curves for pairing based cryptography [DEM04, BLS02, BW03]. 

The usual CM-method works with floating point arithmetic. We first construct all h = 
h{0) isomorphism classes of elliptic curves with complex multiplication by a given order O 
of discriminant D in an imaginary quadratic held K = Q{^/D). We then compute their 
j-invariants numerically and build the minimal polynomial 

h 

HD(X) = l[(x-n) 

i=l 

which by theory has integer coefficients, that can be recognized from their hoating point value 
if the precision of the computation is high enough. The CM-method has been generalized to 
higher genus, i.e. to genus 2 curves and some special cases in genus 3 [Wen03, WenOl, KW04]. 
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Recently, nonarchimedian approaches to the construction of class polynomials Hd{X) 
and analogues have been developed (see [CH02, BS04]). In this setting, given a imaginary 
quadratic order O of discriminant D we choose a prime p of size roughly D such that there 
exists an elliptic curve with complex multiplication by O over Fp — such a curve is found 
by exhaustive search. A canonical lift of the j-invariant of the initial curve is computed 
p-adically to sufficient precision to recover its minimal polynomial Hd{X) over Q. 

In this paper we consider an analogue of the nonarchimedian approach to construct class 
polynomials of hyperelliptic curves of genus 2. We use a higher dimensional generalizations 
of the AGM over a 2-adic held. 

Our paper is organized as follows. We hrst demonstrate the basic idea by using an example 
in genus 1 (see Section 2). We then recall some theoretical facts on complex multiplication 
of abelian varieties of dimension 2 (see Section 3). In Section 4 we give an overview of the 
complete algorithm. 

For our algorithm we need to explain how to run over isomorphism classes of ordinary genus 
2 curves in characteristic 2 (see Section 5). We need also to describe the AGM method for 
hyperelliptic curves of genus 2 (see Section 6). We revise the p-adic LLL-algorithm and 
describe some modihcations which are specihc to our situation (see Sections 7). We also 
discuss how to determine the endomorphism ring of a hyperelliptic curve over characteristic 
2 in special cases (Section 8). 

Finally, we give numerical examples which show that the p-adic method can be efficiently 
used to compute class polynomials of certain quartic GM helds (see Section 9). 


2. Description of the basic AGM method for elliptic curves 


We hrst recall the AGM method for elliptic curves and explain how it can be used to 
generate the class polynomial for imaginary quadratic helds K = Q{\/D) with D = 1 mod 8. 
Let k he a 2-adic local held with uniformizer tt and let a, 6 G A; be two elements such that 


- = 1 mod (87r). 
b 


We can then take the square root x = \fajb which is uniquely determined if we impose the 
condition x = 1 mod 47r. The sequence of pairs dehned by 


(H^+I 5 


'i+1) 



derive from 2-isogenies between elliptic curves. More precisely, if E is an elliptic curve given 
by an equation of the form 

Ei : = x{x - a^i){x 

then the curve 

Ei+i : = x{x - al+^){x - 

is 2-isogenous to Ei (possibly over some extension). Moreover the value = Oj/fej is an 
isomorphism invariant of the pair {Ei,Ei_^i) with their full 2-torsion structures, and if Ei 
is dehned over the unramihed extension of Q 2 , then Ei Ei^i reduces to the Frobenius 
modulo 2. 

Suppose that we are given an ordinary elliptic curve E over ¥q with q = 2'^ for some d. Let 
Qq be the unique unramihed extension of degree d of Q 2 . Then by a Theorem of J. Lubin, 
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J.-P. Serre and J. Tate [LST64], there exists an elliptic curve E/Kq such that 

End(i?) ~ End(E). 

This curve is called the canonical lift of E. Given E with End(E) ~ Ok we want to construct 
the polynomial Hj:,{X). Suppose that hx = t ■ d, i.e. the prime p 2 lying above 2 in Q(v/D) 
has order d in the class group. We use the AGM method to construct a cycle of 2-isogenous 
elliptic curve 

Eq — E ^ ^ ^ — tjQ 

where ipi : Ei ^ Ej+i is a 2-isogeny. Repeating the cycle sufficiently many times, we get a 
sequence of elliptic curves such that Ej is a good approximation for the canonical lift of Ej. 
We can then recover the j-invariant of Ej with high precision. If d ^ hx, we have to repeat 
this process for other elliptic curves of with the same endomorphism ring until we found 
all j-invariants in Q^. We then compute the class polynomial with coefficients in Qq that we 
recognize as integers if the precision is high enough. 


Example 2.1. Gonsider a simple example. Let D = —15. Then 2 splits into two nonprincipal 
prime ideals in K = Q(^/D) and we hnd the curve 

E y'^ + xy = 

over F 2 (q;) = ¥ 2 [x]/{x‘^ + a; + 1) with End(E) = Ok = ^[(1 + V—15)/2]. We lift E to the 
curve E/Kq where Qg is the unramihed extension of Q 2 of degree 2 given by 

E : y^ = x{x - al){x - bl) 

where /? is a lift of a to Kq and Oq = 1 + 4/3^ and hQ = 1 — 4/3^. We now apply 13 rounds of 
the AGM and obtain 

i{El^) = 8026247402149799202321/3- 6102896026815785332240, 
j{El^) = 3730718496258231955951/3 + 2950325125578927178719. 

The Hilbert class polynomial, determined modulo 2^®, is given by 

7/_i5(X) = + 191025X - 121287375. 


N.B. The size the coefficients of H£,{X) can be explicitly bounded by 


In(lO) 



where the sum runs over all reduced quadratic forms (a, b, c) of discriminant D (see [Goh96, 
p. 416]), so the precision needed for this algorithm can be effectively determined. 

There are two main obstructions to extending to an arbitrary discriminant D. First, 
the size of the coefficients of the output polynomial HoiX) makes the construction of the 
Hilbert class polynomial expensive even for D of modest size, and second, the application of 
the AGM imposed a congruence condition D = 1 mod 8. In order to achieve a reduction in 
the coefficients size, one can use alternative modular functions, e.g. on some modular curve 
Xo{N). In the AGM example, the modular invariant is a function on Xo(8) of the 

form [ui + 4:)/{ui — 4), and the AGM recursion determines a lifted invariant which satishes 
the smaller minimal polynomial 


X^ - 9X^ + 17X2 + 24X + 16, 
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any root u of which determines a CM j-invariant by 

. _{u^ + 224^2 + 256)3 
^ u^{u + AY{x — AY 

Existence of generalised AGM methods for elliptic curves in odd characteristic have been 
proved by Carls [Car02]. Explicit formulae for AGM recursions described for modular func¬ 
tions on various Xq{pN) and small characteristics p were determined by Kohel [Koh03] 
and by Broker and Stevenhagen [BS04] using Weber functions (modular functions of level 
N = 48) and small characteristic p. 

The method of Couveignes and Henocq [CH02] for level A^ = 1 imposes no congruence 
condition on the input discriminant, while variation of the level N also varies of the congru¬ 
ence condition on D. In another direction, Lercier and Riboulet-Deyris [LRD04] use ap-adic 
lift of a CM order embedded in the endomorphism ring of a supersingular elliptic curve. For 
p = 2 this allows one to treat the complementary classes D = 5 mod 8 and (fundamental) 
D = 0 mod 4. 

Remark 2.1. The case of genus 1 can be compared and contrasted with the problems which 
arise in the generalisation to higher dimension. 

1. To determine the class polynomial of a maximal order O, we have to ensure that a 
selected curve E/¥q has complex multiplication by O and not some suborder. Determining 
the correct order End(E) requires a more detailed analysis (for example see [Koh96] and 
some extensions to genus 2 in [EL04]). 

2. For an elliptic curve E/Fg, such that its j-invariant generates over Fp, the class 
number must be divisible by the extension degree d = [¥q : Fp]. The order End(E) of a 
randomly chosen E, however, has discriminant D = Y — Aq, whose class number tends to 
grow like 0{y/q). In the case of genus 2, the class number will tend to grow faster. 

3. All elliptic curves over a hnite held Wq which have complex multiplication by an imagi¬ 
nary quadratic order O have the same held of dehnition. This follows from the Galois theory 
of class helds for imaginary quadratic helds; its generalization to higher dimension does not 
preserve this feature. 

4. The j-invariant is an algebraic integer and we have explicit bounds on the size of j in 
terms of the discriminant of the order. The lack of explicit bounds and the failure of the 
Igusa invariants to be algebraic integers provide both technical and theoretical obstacles. As 
a result, even proving the correctness of the result becomes more cumbersome (see Section 9). 

3. The theoretic background 

In this section we will summarize some basic facts on Jacobians of genus two curves and 
quartic CM helds needed to understand the algorithm represented in the next section. 

3.1. The Probenius endomorphism and its characteristic polynomial. Let C be a 

hyperelliptic curve of genus 2 over a hnite held F^ and let Jc be the Jacobian of C. Note that 
Jc is an abelian surface. Let be the Frobenius endomorphism on Jc- Let be the Tate 
module for Jq for some prime £, (£, g) = 1. The Frobenius operates on the 4-dimensional 
vector space and the characteristic polynomial f-Kq{x) G Z[a;] of this representation 

is independent of the prime i. It classihes the isogeny class of the Jacobian over Fg. Any 
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root w of the Frobenius polynomial has absolute value ^/q and we have 
(3.1) /„(!) = #./c(F,). 

Given fnq{x), we can determine End(Jc) ® Q [Wat69]. If fnq{x) is irreducible, then the 
Frobenius endomorphism generates a CM held of degree 4, i.e. a totally imaginary quadratic 
extension of a real quadratic held. 

In the opposite direction, in Section 4 we will try to construct a curve over a large hnite 
held Fp whose Jacobian has complex multiplication by the maximal order in a given CM held 
K. Suppose we have given such a curve C . The Frobenius endomorphism on Jq corresponds 
to an element w G Ok with absolute value y/q. If we know that Jc is simple, then Q(tc) = K. 
This will always be the case if K is non-normal or cyclic. 

There are only hnitely many elements in Ok such that ww = q. For each w we can 
compute the minimal polynomial fw{x) G 7a[x\. If the Jacobian is ordinary and K does not 
contain any nontrivial roots of unity, we hnd precisely two diherent w up to conjugation and 
two diherent group orders in the Galois case and two or four diherent w up to conjugation 
and two, three or four diherent group orders in the non-normal case (cf. [Wen04]). 

We can now hnd the right order n by choosing random elements in the Jacobian and 
multiplying them with the possible values for n. 

3.2. Quartic CM fields. Let iF be a quartic CM held and let <h = {<pi, <^ 2 } be a set of two 
diherent embeddings of K into C such that <pi 7 ^ ip 2 p where p is the complex conjugation. 
Then (iF, $) is called a CM type; up to conjugation, there exist exactly two diherent CM 
types. To every abelian variety over C with complex multiplication by an order of K we can 
assign a specihc CM type. This CM type is called primitive if and only if the abelian variety 
is absolutely simple. A quartic CM held may be non-normal (whose normal closure is a 
extension of Q), cyclic, or bicyclic Galois extensions of Q. For the hrst two, every CM type 
is primitive, but every bicyclic CM type is nonprimitive, so we focus on the case that K is 
non-normal or cyclic over Q. 

We can show that conjugate CM types will lead to the same set of isomorphism classes of 
abelian varieties. In the cyclic case, the set of isomorphism classes of one specihc CM type 
coincides with the set of isomorphism classes of any other CM type. Hence it will be enough 
to consider only one hxed CM type (cf. [Spa94]). For a CM held iF, we denote by Ok its 
maximal order and by iFo its quadratic real subheld. In order to determine the number s of 
isomorphism classes of principally polarized abelian varieties with CM by Ok, we dehne an 
associated class group. 

Definition 3.1. Let T{K) be the group of fractional ideals in iF, and let act on the 
group X(iF) X Kq by /r(o, a) = {p,a,apq2). Then the subgroup of X(iF) x Kq consisting of 
pairs (a, a) such that aa = (a) for totally positive a G iFo contains the image of iF^, and 
we dehne ^{Ok) to be quotient of this subgroup by iF^. 

The following theorem summarises the results of §14.6 of Shimura [Shi98], and provides the 
explicit class number for the set of isomorphism classes of principally polarised CM abelian 
varieties. 

Theorem 3.1. The set of isomorphism classes of principally polarised abelian varieties with 
CM by Ok is a principal homogeneous space over ^{Ok), in particular s = |C(C>x)|- 
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We note that ^^(Ok) is an extension by a group of order 1 or 2, of the kernel of the norm 
map CI{Ok) —^ CI^{Okq) ^ given by a i—> aa. The class of {Ok, 1) is the identity element, 
and €.{Ok) is a nontrivial extension of this kernel if and only if the fundamental unit eo of 
Okq has norm 1 and is not in the image of a fundamental unit of Ok- In this case {Ok, Cq) 
is a second element of <t{OK) which lies over the principal class of CI{Ok)- 

Corollary 3.1. Let s denote the number of isomorphism elasses of prineipally polarised 
abelian varieties with CM by a maximal CM order Ok, and let h' be the order of the kernel 
of the norm map CI{Ok) —^ CC{Oko)- If N{eo) equals —1, then s = h' if the field K is 
normal and s = 2h' if K is non-normal. If N{eo) equals 1, then s = h' if cq is the norm of 
a unit in Ok, and s = 2h' otherwise. 

The Cohen-Lenstra heuristics imply that the class number of the real quadratic held Kq 
has class number 1 with density greater that 3/4. In this case we can express a more precise 
form of the theorem (see [Wen04]). 

Corollary 3.2. Let K be quartic CM field, with real quadratic subfield Kq of class number 1. 
If K is cyclic over Q, then there are Lk isomorphism classes, and if K is not normal over 
Q then there are 2hK isomorphism classes, with Lk classes associated to each CM type. 

N.B. The enumeration of the isomorphism classes does not provide the Galois action on 
their moduli. The CM moduli determine an abelian extension of the Galois group CI{Ok*) 
of the reflex field K* via a map CI{Ok*) €.{Ok)- In the cyclic case, K* and K coincide, 
but in the non-normal case, K and K* are nonisomorphic quartic CM helds embedded in 
the normal closure L of K. In the latter case, the action on the CM isomorphism classes is 
given by a i--> (^'(o), N{a)) where g is the composition of ideal extension to L with the norm 
of Lf K, and N = Nk*/q. Even if CI{Ok*) — CI{Ok), the map to €{Ok) niay have a kernel 
which results in reducibility of the corresponding class equations (see Shimura [Shi98, Main 
Theorem 1, Note 3, pp. 112-113]). 

3.3. The splitting of a prime in a given CM field. Let K he a quartic CM field. 
Analogously to the elliptic curve case we can dehne invariants which classify the isomorphism 
class of the hyperelliptic curves of genus 2 or equivalently the principally polarized abelian 
surfaces over C completely. In contrast to the elliptic curve case, the moduli space is 3- 
dimensional and we find three j-invariants ji, j 2 , js. We define the class polynomial 

HflX) = l[{X-r,), A; = 1,2, 3 

(tGS 

where S is the set of all isomorphism classes of principally polarized abelian surfaces with 
CM by the maximal order Ok- Since we run over all isomorphism classes, the polynomials 
Hk{X) are Galois invariants, i.e. Hk{X) G Q[W]. 

In this subsection, we would like to discuss the properties of these class polynomials and 
their splitting modulo a prime p. This is used twice in our algorithm; Erst with p = 2, 
since we are going to start from a curve in characteristic 2; and second with a large odd 
p, after the class polynomials have been computed, in order to build CM curves over large 
hnite fields. By abuse of notation, we also use p to denote the prime ideal generated by the 

^Here CC{Oko) is the group of ideals modulo totally positive principal ideals, and CC{Oko) = CI{Oko) 
if the fundamental unit of Okq has norm —1. 
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rational prime p. For simplicity, we restrict to Hko = 1, in which case we know the number of 
isomorphism classes (see Subsection 3.2). Similar arguments will apply in the general case. 

Let A be an abelian surface with principal polarization E of CM type {K, <h) with j- 
invariants ji, j 2 , js and let /cq be the field of moduli which is the unique subfield of C with 
the property: An automorphism a of C is the identity on ko if and only if there exists an 
isomorphism A : {A,E) —i?”') = {A,EY. Obviously, we have ko := Q{ji, j2, js)- Let 
{K*, 'L) be the reflex type of {K, <h). We can characterize k^ := k^K* in terms of class held 
theory. 

Theorem 3.2 (Main Theorem of Complex Multiplication, [Shi98]). Given a CM-type {K, <F) 
with reflex type {K*, ip). Consider the ideal group Hq of ideals a in K* for which there exists 
an element p, in K such that 

J^'^j(a) = {p) and N{a) = pjl. 

3 

The group Hq contains the principal ideals, and the corresponding unramified class field over 
K* is the field k^. 

For every CM type {K, <h) we hnd hx isomorphism classes of principally polarized abelian 
varieties (cf. [Wen04]) and the polynomial 

Gt(x) = n 

o-es* 

(where is the set of isomorphism classes of principally polarized abelian surfaces with CM 
type {K, $)) lies in A'*[X] by Theorem 3.2. Since it is invariant under complex conjugation, 
we even get Gf{X) G Kq[X] where Kq is the real subheld of K*. If K is Galois, HflX) = 
G^{X) and if K is non-normal, HflX) = G^{X)G^{X) where <F and T are the two different 
CM types. The polynomial Gf(X) does not need to be irreducible over Kq, since [/cg : K*] 
can be smaller than hx- More precisely, we have 

[kl : K*] = \Ix*IHq\ = \Ix»/H]p\ X Uq/U^ 

where Ix* is the ideal class group of K*, Ix** is the group of ideals in Ix which are of the 
form ](([^. ipj^A*) for some A G Ix*, Hx** is the subgroup of principal ideals of Ix**, Uq is the 
group of units in Kq which are of the form Nx/q{B){l3)~^ where f3 = Nx/q{B) and Ui the 
subgroup of units in Kq which are a norm of a unit in K (see [Shi98], p. 112, Note 3 and p. 
114, Example 15.4 (3)). 

If hx is odd, K is non-normal and A^(eo) = —1, we can deduce [fcg : K*] = hx [Hecl3, 
Shi98]. We expect Gf(X) to be irreducible over Kq[X] (in general this might not be true, 
since K*{ji, j^, jo) = k*Q does not imply K*{jk) = /cg for a single jk)- 

We now consider the abelian variety obtained by reducing the invariants modulo a prime 
in /cg. Let p be a rational prime and fp | p be a prime ideal of degree / in /cg such that 
> 0 for all k. By reducing jk mod fp we obtain a curve C over F^/. Let Jc be its 
Jacobian. 

Note that n<p(jfc) < 0 only if the reduction of the corresponding principally polarized 
abelian variety A dehned over a number held /c ^ /cg modulo some prime q lying above 
fp is superspecial, i.e. A mod q is isomorphic to the product of two supersingular elliptic 
curves [dSG97]. 
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We will determine the p-rank of Jc- For this we use to following theorem. 

Theorem 3.3. (^[Lan83, Chapter 4 Theorem 1.1], [Shi98, Section 19] j Let n he the Frohenius 
endomorphism on the Jaeobian Jc obtained by redueing ji, j 2 and js modulo ip. There exists 
an element ttq in K sueh i(7ro) = tt where i denotes the embedding Ok —^ End(74). Moreover, 
with this TTo one has g{Nk*/K*{'^)) = t^qOk where 5'(p),p ideal in K*, is the ideal a in Ok 
sueh that aOi = where L is the Galois elosure of K. 

The theorems so far allow us to determine the Frohenius endomorphism for every prime 
ideal in /cg. We now consider the case that the held ko = Q(ji, j 2 , js) does not contain K*. 

Let G = Gap/cgl/co). There exists an injective homorphism tt : G ^ Aut(iL) dehned 
by i{aY = i{a'^^'^l). The image 7r{G) is a Galois group Gal(iF|M) for some subheld M. 
To determine the characteristic polynomial of the Frohenius endomorphism over a smaller 
subheld we use the following theorem: 

Theorem 3.4 ([Lan83], Chapter 4, Theorem 6.2). Let po be a prime in ko where A has 
good reduetion and let ttq be the eorresponding Frohenius. Let T = End(iF/C)/7r(G) be a 
set of representatives of embeddings of K into C modulo n{G). Then for every I ^ p the 
eharacteristic polynomial of the Frohenius is given by 

p[n(V'™-a(r)) 

rerqjlpo 

where /(ip) is the degree of the prime ideal fp in k^ over po where a(ip) is up to a root of 
unity egual to S'(pi) where pi is the prime ideal in K* lying below ip. 

Theorem 3.5. Let A he a prineipally polarized abelian surfaee with GM type {K, <h) with 
eomplex multiplieation by Ok with invariants ji, j 2 and jo in ko. Let {K*, T) be the reflex 
GM type. Gonsider the abelian variety A obtained by redueing jk mod po for some ideal po 
above p in ko. Depending on the splitting of p in K, we get 

(1) ifp splits completely, the abelian variety A is ordinary and has eomplex multiplieation 
by Ok; 

(2) if p is unramified, inert or splits only in Ko/Q but not any further, the abelian 
variety A is supersingular; the same is true if p ramifies completely, if (p) = p^ and 
if (p) = p^p 2 but p does not ramify in Kq/Q,; 

(3) if p splits into three prime ideals, the abelian variety will have p-rank 1; the same is 
true if (p) = pip 2 pi; 

(4) ifp is inert in Ko/Q but splits in K/Ko, the abelian variety will either he supersingular 
or ordinary with complex multiplication by Ok (depending on the GM type chosen); 
the same happens if (p) = pfp^ where p ramifies in the extension Kq/Q. 

Proof. 

(1) Let pOk = pi^p 2 ^ with all these prime ideals being distinct (since p is unramihed) 
and let ip | po be the prime ideal in /cg. Then g { Nk */ K *( flfl )) = (pip2)'^ = is 

principal where / is the degree of Ni^ko/K*){^) G K* or equivalently the smallest 
integer such that (P 1 P 2 ) is principal. We have (pip 2 )’^ is coprime to (pip 2 )-^- Hence, 
the abelian variety is ordinary and by [Shi98], p.lOO, its endomorphism ring is equal 
to Ok- 
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(2) If p is inert, the abelian variety modulo po is defined over Fp, Fp 2 or Fp4 depending on 
whether ko CiK* = Q, Kq or K*. Using Theorem 3.3 and 3.4, we see that in this case 
the characteristic polynomial of the a power of the Frobenius is equal to 

and the abelian variety is supersingular. 

If p splits in Kq/Q but not any further, the abelian variety is defined over Fp or Fp 2 
and the characteristic polynomial of a power of the Frobenius is Again, 

it is super singular. 

If (p) = p"^, we have g{NkyK*{^)) is an even power of p. Considering the charac¬ 
teristic polynomial of the Frobenius we see that its p-rank must be equal to 0. The 
same argument works for (p) = p^ and (p) = pip^- 

(3) If p splits in three prime ideals, then p is inert in Xq/Q. This can only occur if K is 
non-normal and in this case the held generated by the invariants will always contain 
Kq. Hence the held of dehnition will always contain Fp 2 . 

Let us consider the following diagrams of helds: 




where (r, s; = l,rs^ = sr) is a representation of the Galois group of the 

Galois closure L oi K. 

Let (p) = P 1 P 1 P 2 in K and qiq 2 qiq 2 L. Then (p) = 9393, where 93 = qiq 2 , is the 
prime ideal decomposition of p in K*. 

The automorphism r leaves qi, q^^ invariant and interchanges q 2 and q 2 . The 
automorphism maps qi to q^^ and q 2 to q 2 . 

The automorphism r is a continuation of the real conjugation of Kq/Q. We get 
9393’’ = qiq 2 qiq 2 = qiq 2 p 2 Hence, p(93) = p^p 2 - The invariants are dehned over the 
held Fp 2 / where / is the smallest number such that (pip 2 )'^ is principal. 

In this case the Frobenius element is {w) = (pip 2 )'^ and the Frobenius polynomial 
is the minimal polynomial of w. By considering the Newton polygon of the charac¬ 
teristic polynomial of the Frobenius we see that its p-rank is equal to 1. The case 
(p) = P 1 P 2 P 3 can be treated similarly. 

(4) Now consider the case where p is inert in Kq/Q but splits in X/Xq, i.e. p = pp. Here, 
p splits in three prime ideals (p) = 93i93i932 in X*. We consider the same diagram 
as above. 

We hnd 93i93j = pOi, hence p(93i) = pOx, and 932932 = pOl, hence p(932) = pOx- 

In the hrst case, the invariants are dehned over the held Fp/ where / is the smallest 
integer such that p-^ is principal in X. The Frobenius element w is then given by 
{w) = . 
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In the second case, the invariants are always dehned over Fp 2 . We get ttq = ip. The 
abelian variety is Fp 2 -isogenous to the product of two supersingular elliptic curves. 
The case where (p) = P 1 P 2 is similar. 

□ 

Our algorithm will start with an ordinary hyperelliptic curve of genus 2 dehned over a 
hnite held F 2 d. Hence, we are only interested in CM held where 2 splits completely, 2 is inert 
in Kq/Q but splits in K/Kq or 2 ramihes in Kq and is of the form p^p 2 in K. 

We can then compute the extension degrees d over which we expect to hnd a hyperelliptic 
curve with complex multiplication by Ok as follows: 

(1) If 2 splits completely, i.e. (2) = pip^p 2 p 2 where pj is the complex conjugate of p*. 
Let /i be the smallest integer such that pip 2 is principal and let /2 be the smallest 
integers such that pip 2 is principal. Then we will hnd hx isomorphism classes of 
hyperelliptic curves dehned over F 2/1 and hx isomorphism classes of hyperelliptic 
curves dehned over F 2 / 2 . 

(2) If 2 is inert in iLo/Q but splits into two prime ideals pp in K/Kq, we hnd hx isomor¬ 
phism classes of hyperelliptic curves with CM by Ox over F 2 / where / is the smallest 
number such that p-^ is principal. 

(3) If 2 ramihes in iLo/Q and is of the form p^p^ in iL/Q, we hnd hx isomorphism classes 
of hyperelliptic curves with CM by Ox over F 2 / where / is the smallest number such 
that (pip 2 )^’^ is principal. 


4. The algorithm 

We now describe an algorithm for constructing hyperelliptic curves over hnite helds with 
complex multiplication by a given maximal order Ox- We will restrict to specihc CM-helds, 
e.g. there should exist an ordinary hyperelliptic curve with complex multiplication by Ox 
over a held of characteristic 2 (see Subsection 3.3). The algorithm dihers from the analytic 
approach mainly in the computation of the class polynomials. Hence, we will hrst explain 
the construction of the class polynomial. 

Input: An ordinary hyperelliptic curve over F 2 d with complex multiplication by a maximal 
order Ox in a CM held K. 

Output: Irreducible factors Hk{X) of the class polynomials Hk{X) = 11^=1 ~ Jk'’) of 

degree n < s. 

(1) Compute the number of isomorphism classes s of principally polarized abelian vari¬ 
eties over C with complex multiplication by Ox using Subsection 3.2. This gives an 
upper bound for the degree of Hk{X). 

(2) Lift the curve to a 2-adic held. 

(3) Compute the Serre-Tate-Lubin lift using ACM. 

(4) Recover the absolute Igusa j-invariants ji, j 2 , js (see Section 5) with high p-adic 
precision. 

(5) Apply LLL to hnd the minimal polynomial Hi{x) G Q[a;] of ji of degree n < s. 

(6) Apply LLL to hnd the minimal polynomials H 2 {x) and Hslx) G Q[a;] of j 2 and of 

degree n. 

(7) Output Hi, H 2 and H 3 . 
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To get a curve over Fp for p a large prime with complex multiplication by Ok^ we now choose 
a prime p such that there exists an tc G Ok with 


ww = p 

and such that /^(l) is prime where is the minimal polynomial of w. We determine 
^ compute the curve using Mestre’s algorithm (cf. [Wen03]). 

Remark 4.1. The determination of the number s = s{K) of isomorphism classes is useful 
for the application of the LLL algorithm. Note that Hi{X) does not have to be irreducible 
(cf. Remark 2.1, (3)), but in many cases, we have Hi{X) = Hi{X) and using the algorithm 
above we can recover the complete polynomial Hi{X). In general, we expect n to be equal 
to s or s/2. This is true, for example, if K is Galois, the real quadratic subheld has class 
number one, the fundamental unit is negative, and the class number hx is odd [Hecl3]. 
Hence, given s, we hrst try to take n = s and 2n = s in step (5) of the algorithm. 

Note that for most application (e.g. constructing curves over large prime helds with given 
group order) it is sufficient to compute an irreducible factor over Q[a;] of the class polynomial. 

Remark 4.2. It is classical to consider that ifi(X), H 2 {X) and Hsi^X) are to be called 
the class polynomials. However, they do not describe fully the CM points in the moduli 
space, since the relations between the invariants are missing. We therefore modify the above 
algorithm as follows. 

Instead of computing H 2 {X) and Hsi^X) in ( 6 ), we compute polynomials G 2 {X) and G 3 (X) 
of degree n — 1 such that 

j 2 Hi\ji) = G 2 {ji) and jsHi {ji) = Gsi^ji) 

(see in Subsection 7.3 why this is better than classical interpolation). 

This approach is only possible if the coordinate ji is a separating function for the CM points, 
or equivalently if Hi{X) is a squarefree polynomial of maximal degree. This is usually the 
case, and then there is a major advantage for the second part of the algorithm, the application 
of Mestre’s algorithm [Mes91]. 

For Mestre’s algorithm we reduce the polynomials modulo p and we try to find a suitable 
triple (ii,^ 2 ) 73 ) ^ ^p- Given Hi{x), H 2 {x) and H^{x) we have to loop through all possible 
triples (xi, X 2 , x^) where Hk{xi) = 0. In our situation we can compute a root of Hi{X) mod 
p and then determine ^2 and jg directly from G 2 {x) and ^ 3 ( 0 ;). We need to factor only one 
polynomial modulo p and the set ^ can be deduced directly. This is much 

more efficient. Note that this trick can also be applied in the analytic approach. 

5. Isomorphism classes in characteristic 2 

In this section we discuss the choice of suitable invariants ji, j 2 , js for the algorithm 
described in Section 4 and describe how to choose suitable curves in characteristic 2 which 
we can use as an input for the algorithm described in the previous section. 

We have to be careful to choose the right invariants, since we are in characteristic 2. In 
the literature and the computer algebra package Magma we usually hnd three different sets 
of invariants, known as Igusa-Clebsch invariants, Clebsch invariants and Igusa invariants. 
These can easily be transformed into each other (see [Mes91]). 
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We are only interested in the so-called Igusa invariants [J 2 , J 4 , Jq, Js, Jio] since they also 
make sense in characteristic 2. Two curves are isomorphic over some extension if and only if 
their Igusa invariants agree as points in weighted projective space. The subspace of curves 
with ordinary Jacobian in F 2 is defined by the condition J 2 7 ^ 0 (see [CNP04]). From the 
projective Igusa invariants we define absolute invariants 


(jl) JS) J 5 ) ^ 7 ’ 

aio 


Jl JIJ 4 


JlJi 


2^6 


J'lJfi. JaJ%. 


</in Jw J^n J^ 


'10 


The absolute invariants are well-dehned since Jio = 0 if and only if a curve is singular. 
However, since dJg = J| — J 2 J&) in characteristic 2 we obtain the relation jijs = and also 
J 2 J 3 = JiJs- For an ordinary curve, the absolute invariant jJ is nonzero (since J 2 7 ^ 0 ) so we 
may eliminate the invariant J 3 in determining a parametrization of such curves, but use the 
triple (ji, j 2 , J 4 ) for the invariants of a lifted curve. In order to classify curves of nonordinary 
Jacobian, it is necessary to dehne additional absolute invariants (see [Igu60]). 

We now would like to enumerate all isomorphism classes of hyperelliptic genus 2 curves 
over k which are dehned over /c = F 2 d to find suitable CM fields as input to our algorithm. 
We note that over a hnite held, a curve is dehned over its held of moduli, hence the held of 
dehnition of the point (ji, ^ 2 , js, J 4 , is) is the held of dehnition for a curve. (For a classihcation 
of curves and their twists, we refer to a paper by Cardona, Nart and Pupolas [CNP04]). 

Following Igusa [Igu60], every ordinary curve of genus 2 in characteristic 2 has a normal 
form 

y'^ — y = ax + bx~^ + c{x — 1 )~\ abc 7 ^ 0 , 
isomorphic via {x,y) 1 —>• {x,y{x{x — 1 ))“^) to the curve 


C y‘^ — x{x — l)y = x{x — l)(aa;^ -|- ax‘^ + {b + c)x + b). 


We dehne <Si(C) = a -|- 6 -|- c, S 2 {C) = ab + be + ac, and S 3 (C) = abc. The absolute Igusa 
invariants can be expressed in terms of these invariants (cf. [Igu60, p.623]); in particular 

Jf' = J2^JlO = SsiCf, 
j2jl ^ = J 2 = Sl(C')^ 

J4ji ^ = J2 — ^2.{CY + -Si(C)^ -|- Si(C)"‘. 


Thus the maps 


and 


(Si, S 2 , <§ 3 ) 


(jl) 32i J 4 ) 


1 sf sl + s^, + sf 
^2’ „2’ „2 


Vj 2 Vj 4 ^ 32^/32 1 

“T ,9 “T 


.\/Ti VJi Jl jiv(7i’ Vliy 
dehne mutual inverses between triples ( 51 , 52 , 53 ) with 53 7 ^ 0 and (ji, j 2 , 44 ) with jJ 7 ^ 0 . 
Conversely given a triple ( 51 , 52 , 53 ) G k^, with 53 7 ^ 0, there exists a curve in normal form 

C : y^ — x{x — l)y = x{x — l)(aa;^ -f ax"^ + {b + c)x -|- b). 

where x^ + 5 ia;^ J- S 2 X -t- 53 = {x — a){x — b){x — c), over an extension of degree at most 3. 


Remark 5.1. Cardona, Nart and Pupolas [CNP04]) show for a hnite held of characteristic 2, 
that one can in fact hnd a representative curve C/k given any triple ( 53 , 52 , 53 ) in k^ with 
53 7 ^ 0. This implies that triples ( 53 , 52 , 53 ) are in bijection with ^-isomorphism classes of 
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curves over k. However, since we require a curve in the split normal form above as input to 
our algorithm of Section 4, we omit the description of this representative over k. 

6. Higher dimensional generalization of AGM 

In order to apply the algorithm, we need a method to compute the Serre-Tate-Lubin lift 
of a genus 2 curve over a 2-adic held. We use an algorithm due to Mestre [Mesb] which uses 
the explicit formulae usually called “Richelot isogeny”. Later on, Mestre [Mesa] proposed 
another method, based on Borchardt’s mean. The latter has been implemented by Lercier 
and Lubicz [LLj. Borchardt’s mean involves simpler formulae and extends to higher genus. 
Since we are interested in the genus 2 case, we stick to the hrst “Richelot” algorithm. This 
variant is not well described in the literature, so we give now a few details about it. 

6.1. AGM lifting via Richelot’s isogeny. The basic idea of the genus 2 AGM lifting 
algorithm is to have explicit formulae that describe fully a (2, 2)-isogeny between jacobians 
of curves. This can also be viewed as an explicit modular equation relating the invariants of 
the curves. The following can be found in [BM88]: 

Theorem 6.1. If S and T are monic polynomials of degree 2, define 

[A,T](a;) = ^'(a;)T(a;) - S{x)T'{x). 

Let C be a genus 2 eurve of eguation y'^ = P{x)Q{x)R{x), where P, Q, R are monic of 
degree 2. Let C be the eurve given by the eguation 

^y^=[Q,R]{x) [R,P]{x) [P,g](a;), 

where A is the determinant of P,Q,R in the basis 

Then Jac(G) and Jac(G') are {2, 2) -isogenous abelian varieties. Moreover the kernel and 
the expression of the isogeny can be made explicit. 

This theorem is valid over any held of odd characteristic, including a 2-adic held. The 
next task is then to put the curve we have in a form suitable to apply the theorem, and 
then to make the right choice for P, Q and P, so that the (2, 2)-isogeny corresponds to the 
second power Frobenius isogeny, when we reduce everything modulo 2. 

A convenient form to work with is a Rosenhain form: we hnd Aq, Ai and Aoo such that the 
curve of equation y"^ = x{x — l)(a; — Ao)(a; — Ai)(a; — Aoo) is isomorphic to C. By considering 
the reduction of the 2-torsion divisors, one can show that the Aj can be chosen such that 
Ai = 1 mod 4, Aq = 0 mod 4 and val(Aoo) = —2. 

Then the corresponding Rosenhain form for the curve C , so that the isogeny reduces to 
the second power Frobenius modulo 2, is given by invariants A' satisfying 

^ (mi - Voo){Uoo - Vq) _ (ui -Uoo)(Wi - Up) _ (Ui - Uoo)(wo - Up) 

°° {Ui - Vo){Uoo - Voc)' ^ (Mi - To)(Wi - Too)’ ° («! - t'o) “ ^^oo) ’ 

where ui and Uoo are the solutions of the equation 

— 2AooP + Aoo(l + Ai) — Ai = 0, 

To and Too are the solutions of the equation 

— 2AooR + AqAoo = 0, 
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and Wo and wi are the solutions of the equation 

(Ao - 1 - Xi ) W ^ + 2AiW" - AoAi = 0. 


In all these formulae, the subscript indicates the value of the variable modulo 2 (and an 
inhnity subscript means that the valuation is negative). Hence, the distinction between the 
roots of the equations of degree 2 is easy. 

As a consequence, we can derive a genus 2 AGM lifting procedure just like in genus 1 as 
recalled in Section 2. At each step, we have to compute three square roots (for solving the 
three equations of degree 2) and a few products, additions and inversions. If the curve C we 
started with is ordinary, then the sequence converges (in the same sense as in Section 2) to 
the canonical lift of C. The theoretical explanation for that is given in [Car04]. 

To complete the algorithm, we still need to explain how to initialize the AGM iteration. 
Since the formulae involve the 2-torsion points, we need to have them dehned in the base 
held that we consider. In other words, when looking at the starting curve dehned over the 
hnite held + h{x)y = f{x), it is necessary that h{x) splits completely. We restrict to the 
case where deg h = 2 and deg / = 5. Also, since the curve is supposed to be ordinary, the 
polynomial h is squarefree. Let us write h{x) = x"^ + hix + ho = {x — po){x — pi). Then, 
by doing the transformation to the Rosenhain form, and keeping everything formal, we can 
derive the following values for the initialization of the AGM iteration: 


Aoo — Aq — 4 


f{Po)hl + f'{pl 
h\ 


Ai = 1 + 4 


f{pi)hl + f{pl] 
h\ 


6.2. Asymptotically fast lifting algorithm. In the p-adic GM method, we might need to 
lift the curve to a very high precision. The plain AGM method that we have just sketched has 
a complexity which is at best quadratic in the precision. This quickly becomes a problem. 
A hrst subquadratic algorithm was designed by Satoh, Skjernaa and Taguchi [SST03], then 
an almost-linear lifting method was designed by Kim et al. [KPG’''02] in the case where 
the base held admits a Gaussian normal basis, and hnally Harley obtained an almost-linear 
lifting method that works for any base held. A precise description and comparison of these 
methods in the elliptic case can be found in [Ver03]. 

We have used the asymptotically fast variant of Harley, that we now explain briehy. 

Instead of going around the cycle of isogenous curves, getting closer and closer to the 
canonical lift, we consider only two curves C and C and their canonical lifts. Once lifted, 
the Rosenhain invariants of C should annihilate the Frobenius-twisted modular equations 
corresponding to the equations above: we should have 

4>(A,A‘") = 0, 

where A is the vector (Aq, Ai, Aoo) of Rosenhain invariants, a is the Frobenius substitution 
in a 2-adic held Qg, and $ is the function from Q® to that corresponds to the Richelot 
equations above, where the intermediate variables Ui, Vi and Wi have been eliminated. 

Then an adaptation of the Newton lifting method can be used to compute a solution A 
to that equation, thus yielding the invariants of the canonical lift. A key ingredient of that 
method is that we have to be able to compute the action a quickly. To this ehect, the 
2-adic held is represented in a polynomial basis, with a generator that is a root of unity 
(a Teichmiiller lift of a generator of the underlying hnite held). Then the computation of 
the Frobenius image of an element has a cost bounded by the cost of a few multiplications 
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in the field. We skip the details and refer to [Ver03] for a precise description and analysis. 
Adapting the algorithm given there to the genus 2 case is essentially a multivariate rewriting 
of the algorithm for elliptic curves. Not surprinsingly the Jacobian matrix of <h is involved 
in place of just the two partial derivatives. 

7. The p-ADic LLL algorithm and Lagrange interpolation 

As pointed out in Remark 2.1, (3), the hyperelliptic curves with complex multiplication 
by Ok in characteristic 2 do not all have the same field of definition. Moreover, given a 
class polynomial Hk{X) G Q[W], not all roots in a field of characteristic 2 need to lead to 
hyperelliptic curve with complex multiplication by the field K (see Subsection 3.3 and the 
discussion following Theorem 3.5). This happens for example for a non-normal K whose 
real subfield has class number one if 2 is inert in the real subfield Kq but splits in K/Kq. In 
this case we find only hx hyperelliptic curves over a field of characteristic 2 with complex 
multiplication by Ok although there exist 2hK isomorphism classes over C. 

Hence, it is more convenient to compute only one root up to a high precision and then 
apply the LLL algorithm to recover the minimal polynomial. Note that using this approach 
we will only find a irreducible factor of the class polynomials and there are in general not 
irreducible. 

7.1. The p-adic LLL-algorithm. Given a lattice A = {bi,... ,bm) the LLL algorithm 
produces a short lattice basis. This can be used to determine the minimal polynomial of an 
algebraic element given by a floating point representation. Let det(A) be the determinant of 
A. Using Minkowski’s inequality we can approximate the shortest lattice vector by 

If T G A has length much smaller than this bound, it will be the shortest vector with high 
probability. 

Let Zg be an extension of Z 2 of degree d with Z 2 basis 1, wi,. .., Wd-i- Let a G Zg 
generating Z^, and a be an approximation of a modulo a high power of 2, say a = a mod 2 ^. 
We assume that we know the degree n of its minimal polynomial f{x) G Z[a;], i.e. 

f{x) = anx'^ -t-... -h ao 

where ai & Z are unknown. In order to determine a*, we determine a basis of the left kernel 
in ^n+d+i matrix 



where A is the (n -|- 1) x d matrix 


/ 1 0 ... 0 \ 


<TlO Til • • • 


\ TjjO Otnl ■ ■ ■ 


CXjQ CXjiWi . 

• • “1“ l)^d- 
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with ajk defined by 



This kernel is a lattice A, in which the coefficients of the minimal polynomial of a are part 
of a short vector. Indeed, if oq, ..., are integers such that 

and"' + ... + ao = 0 mod 2 ^ 

then (ao,..., a^, will be a short vector in A that we expect to hnd in a LLL-reduced 

basis. 


7.2. Lagrange interpolation. In Section 4, Remark 4.2, we mention that we do not com¬ 
pute Hi{X), H 2 {X) and Hsi^X) but Hi{X) and two polynomials G 2 (X), G 2 ,{X) with the 
property that 

32 ■ = G 2 U 1 ) and ja ■ = G 3 (ji). 

Let us first consider the usual Lagrange interpolation, i.e. suppose we compute Afc(X) G C[X] 
with 


3 k = Fk{3i) for k = 2,3. 


Let us assume that the conjugates for i = l,...,n are all distinct (see Remark 7.1). 
Then Fk{X) is given by 




X-/3 


i=l 


31 


(b 




Since Fk{X) is easily seen to be Galois invariant, we have Fk{X) G Q[X]. 
due to the factor 


n 


-- -(b 
3i 



Unfortunately, 


the coefficients of Fk{X) have usually a much larger height than those of Hk{X). Hence, we 
prefer to compute Gk{X) with the property 


(7.1) 3kH[{3i) = Gk{3i). 

A formula for Gk is then given by 

^ _ y- _ -h) 

i=i 3i 3i 


Since 

= leadcoeff(ff,(A')) ■ ROb " jf’) 

where leadcoeff(i7i(X)) denote the leading coefficient of i7i(X), we expect Gk{X) to have 
approximately the same height as Hi{X). 


Remark 7.1. In order to be able to apply the Lagrange interpolation formula we need the 
roots of the polynomial Hi{X), to be distinct. In practice we do not expect it to have any 
multiple roots. If this happens to be the case, we solve the problem by choosing some linear 
combinations of ji, js such that all roots are distinct. 
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7.3. Lagrange interpolation and LLL. We now modify the lattice given in Subsection 7.1 
to work for determining G 2 {X) and Gs{X). Let dk be the denominator of Gk{X). Then 
equation (7.1) becomes 

where Gk{X) = dkGk{X) e Z[X]. 

We consider the lattice A which is the kernel of the matrix 



where the rows of A contain the coefficients of 1, ji, ..., \ i 7 ((ji)j 2 , expressed on the 

Z 2 -basis. If we have 

Gk{X) = ttn-lX^ ^ + an-2X"' ^ + . . . + Oq, 

then the vector (oq, ..., an-i, dk,*, ■ ■ ■, *) will be a short vector in A that we expect to hnd 
in a LLL-reduced basis. 

7.4. Starting from several triples. It is often possible to compute p-adic approximations 
of several triples (ji, j 2 , Js) of invariants of curves having CM by Ok- Furthermore, it can be 
the case that those triples form an orbit under the action of a subgroup of the Galois group 
of the field generated by the invariants. 

Before showing how this can be used to speed up the computations, let us give two 
examples of situations where we get such information. 

• Once we have lifted one triple (ji, j 2 , is) of elements in where q = 2 *^, we can easily 
compute the d conjugate triple by applying the Frobenius automorphism of Zg. 

• It is possible that by enumerating all isomorphism classes over the hnite helds we 
have found several nonconjugate curves having CM by Ok- For instance, if K is 
non-normal, Hkq = 1 , A^(eo) = 1 and the class number Hk is odd, we expect to hnd 
at least Hk isomorphism classes over the hnite held. 

Lof 72*^73*^)i<i<fc be such a set of conjugate triples, with k divides n. Then the 
symmetric functions of these triples are in an extension of degree n/k of Q. It is then 
possible to build appropriate symmetric functions, so that applying the LLL algorithm to 
recognize algebraic numbers of degree n/k will allow to reconstruct the polynomials Hi, G 2 , 
G 3 . We expect this approach to be faster than applying the LLL algorithm to reconstruct 
elements of degree n directly, since the complexity of lattice reduction depends badly on the 
dimension of the lattice (hence of the degree of the elements to recognize). 

On the other hand, having the possibility to recognize elements of smaller degree implies 
more involved computations to deduce the polynomials Hi, G 2 , G 3 . This is based essentially 
on resultant computations. We give now more details about this approach. 

We start by building the polynomial Mi{X) whose roots are the 

Mi{X) = (X-j«)(X-jf)---(X-jf)) 

= X’^ + nik-iX’^ ^-I-- \-miX + mo. 

By the discussion above, the coefficients m* of M{X) are algebraic elements of degree n/k. 
We use the LLL algorithm to compute the minimal polynomial P{X) G Q[W] of ttiq. Let 
us call Kp the number held Q[X]/(P(X)), which is a degree n/k subheld of the held /cq of 
degree n containing the CM invariants. Then we recognize the other mi as elements of Kp, 

17 



expressed in terms of mo- For that we use again the LLL algorithm, but with the modihed 
lattice as in Section 7.3. Hence Mi has been rewritten as a bivariate polynomial 

+ ■ ■ ■ + mi{Y)X + 

with rational coefficients, where H is a root of the the polynomial P{Y). The resultant 
in Y of Mi{X,Y) and P{Y) is the polynomial Hi{X) we are looking for, perhaps up to a 
multiplicative factor. 

We can perform the same kind of computation for j 2 and js, so as to obtain 772 (X) and 
7^3 (X). However, we would prefer to obtain G 2 (X) and G 3 (X) that give more information. 
Let us explain how to get G 2 (X); the polynomial G 3 (X) is computed in a similar manner. 

Let M 2 (X) be the polynomial (with p-adic coefficients) of degree at most 7 — 1 such that 
^ 2 *^ = M 2 (jj*^), for 1 < i < 7, that we can compute by a simple Lagrange interpolation. 
Write M 2 (X) = nk-iX^~^ + ■ ■ ■ + niX + no. As before, by Galois invariance, the coefficients 
rii are algebraic elements of degree n/7, and in fact are contained in Kp. We can recognize 
them using the LLL algorithm with the modihed lattice, and we get a bivariate polynomial 

M 2 (X, X) = nk-i{Y)X^-^ + ■ ■ ■ + ni(X)X + no(X), 

dehned over Q,where Y is again a root of P{Y). To convert back into a univariate representa¬ 
tion, we need an explicit expression for the embedding of the subheld Kp into Q[X]/ (77i(X)). 
The computation of this embedding can be handled by various algorithms. We suggest the 
following: the polynomial 77i(X) is obtained as the resultant of Mi(X, X) and P{Y). If 
this resultant is computed by the subresultant algorithm, on the way to the solution we 
compute a polynomial of degree 1 in X that belongs to the ideal generated by Mi(X, X) 
and P(Y). Let us denote this polynomial by S'(X, X) = S'i(X)X -|- S'o(X). Then as an 
element of Q[X]/(i7i(X)), a root of P is given by —S'o(X)/S'i(X), thus yielding the required 
embedding. 

Once M 2 has been recognized as an element of Q[X]/(7ri(X)), we just have to renormalize 
it with H[{X), to obtained G 2 (X). 

Remark 7.2. In the description of our method, we have overlooked two problems that we 
encounter when actually implementing these algorithms: 

• The elements are not algebraic integers, so we have to take care of denominators 
everywhere. This is not a big difficulty but can induce many programming mistakes. 

• If we implement line by line the method, there is a huge explosion of the sizes of the 
coefficients in the middle of the algorithm. Once p-adic elements are recognized as 
algebraic elements, we therefore have to switch to modular computation: resultants, 
subresultants, and computations in Q[X]/(i7i(X)) must be handled by computing 
modulo sufficiently enough primes, and we switch back to integers only for the hnal 
reconstruction of TTi, G 2 and G 3 , when we know that the integers have a reasonnable 
size. 

Remark 7.3. As before, in this algorithm we made some genericity assumptions. Indeed, it 
could well be that the coefficient mo that we used to dehned the subheld Xp is in a fact in 
a subheld of degree less than n/7. In that case, we just have to choose another element to 
dehne the held Kp we work with. 
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8. Determining the endomorphism ring 

A critical issue is the identification of a representative curve whose Jacobian has maximal 
endomorphism ring. It is necessary to have a mechanism to discard curves associated to the 
nonmaximal orders. The following proposition gives a partial answer. 

Proposition 8.1. Let f be the minimal polynomial of the Frobenius endomorphism on the 
Jacobian Jc of a genus 2 curve C defined over Fg of characteristic p. Let n be any root of 
this polynomial and set K = Q(7r). Let the set 

[ giij) dtj'K) \ 

’ ’ p'^^mt ) 

generate the maximal order Ok over Z[ 7 r, 7 f] with {rni,p) = 1 . Then gi{Ti)/mi is in End(Jc) 
if and only if giiTi) is the zero map on Jc[mi]{¥q). 

Remark 8.1. If all the Cj = 0, then we can really test the maximality, as mentionned in 
[EL04]. However, and unlike the genus 1 case, it is possible that Z[ 7 r, vf] is not p-maximal in 
Ok and then we cannot answer the problem. 

Besides this algorithm, there are some other strategies which can be applied : 

(1) Suppose we have given a curve C of genus two with field of definition Fg = F 2 d and 
Frobenius polynomial fc{x). Let K be the quartic CM field generated by fc{x). 
Using the discussion following Theorem 3.5, we can compute the degree fi (resp. / 2 ) 
of the field of definitions of the curves in characteristic 2 with complex multiplication 
by Ok- If d 7 ^ /i and d 7 ^ / 2 , the endomorphism ring of C cannot be maximal. 
Hence, we assume that d = fi for some i = 1, 2. 

(2) Furthermore we can use the fact that the endomorphism ring of the maximal order 
is in general as uncyclic as possible (a similar idea has been mentioned in [EL04]). 
By this we mean the following: Suppose we find two hyperelliptic curves Ci and C 2 
with the same characteristic polynomial i.e. fci{x) = fc 2 {^)- Then over every field 
extension of F 2 d the group of rational points on the Jacobian will have the same order 
but not necessary the same group structure. Suppose we have a prime i such that Jc^ 
has all i torsion points rational {i 7 ^ p) and not Jcj, then the conductor of the order 
of the endomorphism ring of Jcj will contain the prime i. Indeed, (tt — l)/£ G Jci 
but is not in Jcj- 


9. Numerigal examples 

9.1. Implementation. We have implemented our algorithm using various computer algebra 
packages. The first implementation has been written at a high level, using the Magma 
system [BC97]. Then, to be able to deal with high precisions, the asymptotically fast lifting 
algorithm using Richelot isogeny has been implemented in C, based upon the Mploc package 
written by Emmanuel Thome [Tho]. Finally, for the LLL computations, we have interfaced 
our programs with Victor Shoup’s NTL library [Sho]. Those three packages use the GMP 
library [Gra02] for their time-critical integer operations. 

After these optimizations, the cost of computing the canonical lift of a curve is not so 
high, even if precision is huge. Therefore it appears that the bottleneck of our method is the 
LLL computation and the method of section 7.4 should be used for large examples. 
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9.2. A non-Galois example with n = 2h. We start with the curve C of equation + 
h{x)y + f{x) = 0 over Fg = ^ 2 [t]/(t^ + t + 1 ), with 

f{x) = x^ + t^x^ + t^x"^ + t^x, 
h{x) = x'^ + X. 

The curve is ordinary and has CM by the maximal order of A = Q{i ^/23 + dv^S). The held 
K is non-normal and its class number is 3; so we have 6 isomorphism classes of principally 
polarized abelian varieties. 

We apply our algorithm and compute the canonical lift of C to high precision (in fact, a 
posteriori, we see that 1200 bits are enough) and get its invariants. From this we reconstruct 
the minimal polynomial Hi and the corresponding G 2 and G 3 . As expected, the degree of 
Hi is 6 . 

Hi = 2 ^^ 5 ^^ 7 ^'^ T® 

- 11187730399273689774009740470140169672902905436515808105468750000 T® 

-h501512527690591679504420832767471421512684501403834547644662988263671875000 T* 

- 10112409242787391786676284633730575047614543135572025667468221432704263857808262923 H 

-h118287000250588667564540744739406154398135978447792771928535541240797386992091828213521875 H 
-2i3®°5^°lFl3^53^70F 16319^69938793494948953569198870004032131926868578084899317 T 
-h 3®° 5 23® 409® 179364113® 

G 2 = 2-®(2734249284974589542086559782016563911333032280921936035156250000 T® 

-h 57554607277149797568849387967258354564256002479144001401149377453125000000 H 
+2402137816085408582966361480412923409977297040376760501014543382338189483861887923T® 
-75691166837057576824962404339816428897154828109931810138346946500235981947587900092046875 H 
+ 2i3'‘®5®'’35828519670812312117443096939126403484719666514876459782054400437 T 
-3®®5®®11® 13^23®409®23879®179364113®370974539856105277) 

Gs = 2"'‘(200620022977265019387539624994933881234269211769104003906250000 T® 

-23006467431764975697282545882188900514908468992554759536043135578125000000 H 
+615017294619678068611319414718144161545088218260214211563850151291136646894987547T® 

- 14310698742415340178789612716269299249317950024503557714370659520249839645781463819312875 H 
-2i3'‘®5® 13^61® 18373951326869® 25713288587261208212107985724468058651509734160907 T 

+ 3®®5®®23M09^23561®440131®179364113M51986402352017881724712641689) 

By looking at the Newton polygon of Hi for the 2-adic valuation, we see that there are three 
roots that have valuation 0, and the others have negative valuation. Hence only three of the 
curves have good reduction modulo 2. However, since Hi is irreducible over Q, starting with 
one curve (or from the 3 conjugate curves) yields the whole Hi. 

This is consistent with Theorem 3.5. Indeed, 2 is inert in Kq = Q(v^) and splits in two 
prime ideals of degree 2 in K. Hence we are in subcase (4). Furthermore, one can check that 
each of the prime ideals above 2 have order 3 in the class group of K. 

9.3. A large example. We start with the curve C of equation -|- h(x)y + fix) = 0 over 
F 3 .=F+]/+ + i^;i).with 

fix) = x^+f^^x^+ +t^'^x., 

hix) = x^ + t^x. 

The curve is ordinary and has CM by the maximal order of A = Qii^/75 + 12y/l7). The 
held A is non-normal and its class number is 50; so we have s = 100 isomorphism classes of 
principally polarized abelian varieties. The ideal (2) splits completely in A, and the primes 
above 2 have order 5 and 25 in the class group. 

However, when looking for a minimal polynomial of the lifted value of ji, the LLL algo¬ 
rithm produced a plausible answer of degree 50. In fact, it seems that the class polynomial 
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of degree s is not irreducible over the rationals, but splits in two factors of degree n = 50. 
Using our method, we can only produce one of these factors Hi{X), and the corresponding 
polynomials G 2 {X) and G 3 (X). 

For this large example, this would have been much faster to use the 5 conjugate curves 
instead of only one. Indeed, with our implementation, using only one curve (and therefore, 
doing lattice reduction to recognize elements of degree 50) requires about one day for the 
whole computation on an Athlon64 processor, most of the time being spent in LLL. 

For that case, we use a p-adic precision of 65000 bits. The running time to lift the curve 
and compute the invariants is 20 seconds. 

The leading coefficient oi Hi is 3 ^°lli 56 l 7 ®° 23 ^ 24 l 2473 i 2 g 3 i 2 ^g^ 48 g 9 ^i 2 _ 

9.4. Checking the result. Since we cannot give a bound on the coefficients of the class 
polynomials, there is no way to prove the result of the computation. However there are some 
hints that indicate that the result is correct. 

• The leading coefficient can be a large integer. However, we expect this integer to be 
very smooth. In particular, it should be easy to factor this number by trial division, 
even though the integer has several hundreds of decimal digits. This could not occur 
for a random integer. Therefore, if the answer of the LLL algorithm has this property, 
then we probably had enough precision. 

• When reducing the class polynomials modulo a suitable prime p, one should be 
able to recover curves with the prescribed complex multiplication. Hence, we can 
choose a prime p small enough so that all the computations are easy, and check that 
everything is consistent. For instance, the large example of the previous section was 
checked with the prime p = 47653 which splits completely in K into 4 prime ideals 
that are principal. Then we check that Hi splits completely over ¥p, and from its 
roots we deduce invariants and then equation for curves (using Mestre’s algorithm) 
that have indeed CM by Ok- 


10. COMPLEXITY 

In this Section, we estimate the cost of our algorithm. The usual way of computing class 
polynomials was described in [Wen03]. One starts with a CM field, computes the period 
matrices (Hj)*, recovers the j-invariants by computing theta constants and computes the 
class polynomials by gathering all the j-invariants. Weng’s algorithm is dominated by the 
computation of theta constants. This computation depends on the value of the first minima 
of the period matrix, which makes the analysis of this part difficult. However a naive 
evaluation of the theta constants is quadratic in the precision. Our algorithm is linear in the 
precision. Let us give some details. We can distinguish two steps : the canonical lift of the 
curve and the LLL part. Recursive programming based on the formulae of Richelot leads to 
a linear algorithm in the precision. More precisely the complexity is 0{{nkY~^'^) where n is 
the degree of the extension, k the final precision of the p-adic j-invariants and e represents 
the logarithmic factors in n and k. Then we use LLL to recover the class polynomials. Given 
( 6 i,& 2 , • • • )bm) a basis of a lattice A such that for all i in {1,... ,m}, ||5i|P ^ B, LLL returns 
a LLL-reduced basis in a time 0(m® log^(R)). In our case log(R) is the precision needed 
in order to make LLL work, so this step is in 0{m^k^). The dimension of the lattice m is 

here the degree h of our class polynomials Hk{X). Note that the floating-point version of 
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LLL had been improved by Nguyen and Stehle in [NS05]. Their version has a complexity 
of 0{m^{m + log(-B)) log(-B)). When we look at the LLL complexity, we can see that the 
dimension of the lattice has a very bad influence on efficiency. To reduce the dimension, 
one can proceed as suggested in 7.4. For instance, if one looks at the example 9.2, we can 
see that Hi{X) has bad reduction modulo 2. It gives a degree 3 polynomial. Thus, if one 
seeks CM curves over F23 with maximal order in K = Q(i\/23 + 4v^), one hnds three 
such curves. Hence, LLL has to deal with a lattice of dimension only 2. However such an 
enumeration is quite expensive. It takes 2^"' operations to enumerate all the curves and 
therefore one can afford it only over small extensions of F2. Note that, in practice, this idea 
is still valuable because extensions of F2 of degree less than 10 provide already huge class 
number (for instance with n = 7, one can hud a quartic CM field whose class number is 
6496). 

11. Conclusion 

We have presented in this article a 2-adic construction of CM genus 2 curves based on the 
ACM. This construction seems more efficient than the existing complex method. However, 
as for genus 1, it does not allow to obtain all CM helds. To tackle this problem, one should 
hrst hnd analogues of the ACM method in characteristics greater than 2. 

Another possible generalization is to higher genus. Note that for generic genus 3 curves, any 
explicit method is known to construct a curve over Q whose Jacobian has complex multi¬ 
plication. Such a construction can be done over the 2-adics with the ACM. However unlike 
the hyperelliptic case, one does not know a complete set of invariants for non hyperelliptic 
genus 3 curves which, for the moment, prevent to make the link with number helds. 
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